US20070297611A1 - Method for Security Association Negotiation with Extensible Authentication Protocol in Wireless Portable Internet System - Google Patents

Method for Security Association Negotiation with Extensible Authentication Protocol in Wireless Portable Internet System Download PDF

Info

Publication number
US20070297611A1
US20070297611A1 US11/661,172 US66117205A US2007297611A1 US 20070297611 A1 US20070297611 A1 US 20070297611A1 US 66117205 A US66117205 A US 66117205A US 2007297611 A1 US2007297611 A1 US 2007297611A1
Authority
US
United States
Prior art keywords
security association
subscriber station
base station
authentication
capability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US11/661,172
Other versions
US8127136B2 (en
Inventor
Mi-Young Yun
Jung-Mo Moon
Chul-Sik Yoon
Yeong-Jin Kim
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Electronics and Telecommunications Research Institute ETRI
Samsung Electronics Co Ltd
SK Telecom Co Ltd
KT Corp
SK Broadband Co Ltd
Original Assignee
Electronics and Telecommunications Research Institute ETRI
Samsung Electronics Co Ltd
SK Telecom Co Ltd
KT Corp
KTFreetel Co Ltd
Hanaro Telecom Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Electronics and Telecommunications Research Institute ETRI, Samsung Electronics Co Ltd, SK Telecom Co Ltd, KT Corp, KTFreetel Co Ltd, Hanaro Telecom Inc filed Critical Electronics and Telecommunications Research Institute ETRI
Publication of US20070297611A1 publication Critical patent/US20070297611A1/en
Assigned to KTFREETEL CO., LTD., KT CORPORATION, HANARO TELECOM., INC., SK TELECOM CO., LTD., ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE, SAMSUNG ELECTRONICS CO., LTD. reassignment KTFREETEL CO., LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: KIM, YEONG-JIN, MOON, JUNG-MO, YOON, CHUL-SIK, YUN, MI-YOUNG
Assigned to KT CORPORATION reassignment KT CORPORATION MERGER (SEE DOCUMENT FOR DETAILS). Assignors: KTFREETEL CO., LTD.
Application granted granted Critical
Publication of US8127136B2 publication Critical patent/US8127136B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • H04W36/0038Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information

Definitions

  • the present invention relates to a security association negotiation method of extensible authentication protocol (EAP) for authenticating a subscriber station user in a wireless portable Internet system. More particularly, the present invention relates to a security association negotiation method for generating an authentication key without an additional message exchange in an authentication scheme using EAP in a wireless portable Internet system.
  • EAP extensible authentication protocol
  • wireless portable Internet further provides mobility to a local data communication system such as a conventional wireless local area network (LAN) using a stationary access point (AP).
  • LAN wireless local area network
  • AP stationary access point
  • IEEE 802.16 working group attempts to establish an international standard of the wireless portable Internet protocol.
  • the authentication and authorization standard defined by the IEEE 802.16 establishes authentication functions for stations in a wide area network configured with wireless networks.
  • the subscriber station (SS) authentication function standardized by a privacy layer of the IEEE 802.16 is defined only for SSs within a fixed network, it is inappropriate for the authentication function to apply SSs or subscribers to be capable of supporting mobility, which is a current trend of mobile services. That is, in the wireless portable Internet system, the subscriber station has mobility, so it moves from a base station to another base station, and when a handover occurs, authentication key generation and security association negotiation need to be performed with a new base station.
  • a PKM—(public key management) RSA method which utilizes a certificate of the mobile terminal and a PKM-EAP method for authenticating a mobile subscriber are defined.
  • the PKMv1 protocol may be exemplified.
  • a terminal is authenticated by using a certificate of a mobile terminal in the IEEE 802.16 standard, and an authentication key (AK) and a traffic encryption key (TEK) are generated.
  • AK authentication key
  • TEK traffic encryption key
  • a newly defined PKMv2 protocol provides more various authentication methods than does the PKMv1 protocol.
  • the PKM-RSA method for authenticating a mobile terminal the PKM-EAP method for authenticating a mobile subscriber, and PKM-RSA with EAP for authenticating both a mobile terminal and a mobile subscriber may be exemplified.
  • the authentication key is generated by using a master key (MK) which may be obtained after authentication of a mobile terminal or a user.
  • MK master key
  • the authentication key is generated after authenticating a mobile subscriber and exchanging the master key (MK) and random numbers of the base station and the subscriber station.
  • MK master key
  • the PKMv2 protocol it does not follow the basic design concept of the PKMv2 protocol. Therefore, when a handover of the subscriber station occurs, an additional message exchange is necessary, and the exchange of the random numbers through an authentication message is necessary for generating the authentication key for a new base station.
  • the present invention has been made in an effort to provide a security association negotiation method having the advantage of corresponding to a basic design concept of the PKMv2 protocol.
  • An exemplary security association negotiation method using a user authentication in a wireless portable Internet system includes the following steps.
  • a base station generates an authentication key for authenticating a user of a subscriber station.
  • the base station receives a security association capability request message including security association capability information of the subscriber station from the subscriber station after generating the authentication key.
  • the base station determines whether the base station is able to accept a security association capability of the subscriber station included in the security association capability request message.
  • the base station transmits a security association capability response message including the security association capability information which is selected for a security association with the subscriber station by the base station when the security association capability of the subscriber station can be accepted.
  • An exemplary security association negotiation method using a user authentication in a wireless portable Internet system includes the following steps.
  • a first base station generates a second authentication key by transmitting a master key, which is to be a seed of a first authentication key of a subscriber station which hands over to a second base station; to the second base station.
  • the first base station provides a first security association descriptor including security association capability information, which is previously negotiated with the subscriber station, to the second base station.
  • the subscriber station exchanges a register request message (REG-REQ) and a register response message (REG-RSP) with the second base station.
  • REG-REQ register request message
  • REG-RSP register response message
  • a second security association descriptor generated based on the first security association descriptor is provided by using the register response message to the subscriber station, and it is determined whether a security association capability is fulfilled.
  • a security association identifier included in the second security association descriptor is admitted and a security association is renewed when the security association capability is fulfilled.
  • FIG. 1 is a schematic diagram illustrating a configuration of wireless portable Internet according to an exemplary embodiment of the present invention.
  • FIG. 2 shows a layer structure of the wireless portable Internet system shown in FIG. 1 .
  • FIG. 3 is a schematic diagram illustrating a connection between a subscriber station and a base station in the wireless portable Internet system shown in FIG. 1 .
  • FIG. 4 is a flowchart showing an authentication key generating process using EAP according to an exemplary embodiment of the present invention.
  • FIG. 5 shows a message flow illustrating an authentication process according to an exemplary embodiment of the present invention.
  • FIG. 6 to FIG. 8 show message configurations for security association negotiation according to an exemplary embodiment of the present invention.
  • FIG. 9 illustrates a method for performing EAP authentication and security association negotiation after a handover according to an exemplary embodiment of the present invention.
  • FIG. 10 is a flowchart showing a security association negotiation method according to an exemplary embodiment of the present invention.
  • FIG. 11 is a flowchart showing a method for performing a security association negotiation when a handover occurs, according to an exemplary embodiment of the present invention.
  • FIG. 1 is a schematic diagram illustrating a configuration of wireless portable Internet according to an exemplary embodiment of the present invention.
  • the wireless portable Internet system includes a subscriber station 10 (SS), base stations 20 and 21 (BS) performing a wireless communication with the subscriber station 10 , routers 30 and 31 connected with the base stations 20 and 21 through a gateway, and an AAA server (AAA: authentication, authorization, and accounting) 40 connected to the routers 30 and 31 for performing an authentication for the subscriber station 20 and 21 .
  • SS subscriber station 10
  • BS base stations 20 and 21
  • AAA server AAA server
  • a conventional wireless LAN such as IEEE 802.11 provides a data communication scheme in which only near distance wireless communication using a stationary access point is possible. Therefore, this does not support the mobility of the subscriber station, and merely support a wireless local data communication.
  • the wireless portable Internet system being developed by the IEEE 802.16 group supports the mobility even when the subscriber station 10 shown in FIG. 1 moves from a cell controlled by the base station 20 to a cell controlled by the base station 21 , so that it can provide the data communication service.
  • the IEEE 802.16 is a standard for supporting metropolitan area network (MAN). In other words, it supports a middle size network between local area information communication network (LAN) and wide area communication network (WAN).
  • MAN metropolitan area network
  • LAN local area information communication network
  • WAN wide area communication network
  • the wireless portable Internet system supports a handover of the subscriber station 10 like a mobile communication service, and performs a dynamic IP address allocation according to movement of the subscriber station.
  • the subscriber station 10 and the base stations 20 and 21 of the wireless portable Internet performs a communication in the orthogonal frequency division multiplexing access (OFDMA) scheme.
  • the OFDMA scheme is a multiplexing scheme that combines the frequency division multiplexing scheme using a plurality of orthogonal frequency sub-carriers as a plurality of sub-channels, and the time division multiplexing (TDM) scheme.
  • TDM time division multiplexing
  • the subscriber station 10 and the base stations 20 and 21 negotiate an authentication mode for an authentication of the subscriber station 10 ; and perform an authentication process according to the negotiated authentication mode. That is, the subscriber station 10 and the base stations 20 and 21 select the authentication mode from an authentication mode based on a digital certificate according to the conventional IEEE 802.16 privacy standard and another authentication mode based on standardized authentication protocol of a higher layer, and according to the selected authentication mode, performs the authentication process for the subscriber station 10 .
  • the standardized authentication protocol of the higher layer may be one of EAP-TLS (Transport Layer Security) which is an EAP framework, or EAP-TTLS (Tunneled TLS).
  • EAP-TLS Transport Layer Security
  • EAP-TTLS Tuneled TLS
  • the subscriber station 10 and base station 20 are ready for an authentication process based on the standardized authentication protocol of the higher layer.
  • the subscriber station 10 generates a message for the authentication and transmits it to the base station 20 , and the base station 20 performs the authentication for the subscriber station 10 through an interaction with the AM server 40 .
  • FIG. 2 is a layer diagram showing a layer structure of the wireless portable Internet system shown in FIG. 1 .
  • the layer structure of the wireless portable Internet system according to IEEE 802.16 includes a physical layer L 10 and media access control (MAC) layers L 21 , L 22 , and L 23 .
  • MAC media access control
  • the physical layer L 10 provides wireless communication functions performed by a typical physical layer such as modulation/demodulation and coding.
  • the wireless portable Internet system has one MAC layer for providing various functions.
  • the MAC layer includes a privacy sub-layer L 21 , a MAC common part sub-layer L 22 , and a service specific convergence sub-layer L 23 .
  • the privacy sub-layer L 21 performs equipment authentication, security key exchange, encryption, etc.
  • the privacy sub-layer L 21 performs the authentication only for equipment, and a user authentication such as the EAP is performed by a higher layer of MAC (not shown).
  • the MAC common part sub-layer L 22 is a core part of the MAC layer, and it performs system access, bandwidth allocation, traffic connection set up and maintenance, QoS management, etc.
  • the service specific convergence sub-layer L 23 performs payload header suppression, QoS mapping, etc., in continuous data communication.
  • FIG. 3 shows a connection configuration between the subscriber station 10 and the base station 20 and 21 of the wireless portable Internet system shown in FIG. 1 .
  • traffic connection C1 does not mean a physical connection but rather a logical connection, and is defined as a mapping relationship which is formed between peers of the equivalent MAC layers in order to transmit traffic for a service flow.
  • a parameter or a message defined on the traffic connection C 1 are functions performed between the equivalent MAC layers.
  • the parameter and the message are processed to be a frame, and are transmitted through the physical layer. Then, the frame is analyzed, and the functions corresponding to the parameter or the message are performed in the MAC layer.
  • a MAC message includes various messages such as a request for some operation (REQ), a response (RSP), and an acknowledgement (ACK).
  • REQ request for some operation
  • RSP response
  • ACK acknowledgement
  • FIG. 4 is a flowchart showing a process for generating an authentication key using EAP according to an exemplary embodiment of the present invention.
  • an authentication process between the AAA server 40 and the subscriber station 10 is performed, and then an AAA key is generated in step S 10 . That is, the subscriber station transmits an EAP transmission request message which is a high authentication protocol to the base station, and the authentication server distributes the MA key which is generated by performing authentication and authority verification to the base station and the subscriber station. After that, the AAA is used as a seed of an authentication key (AK).
  • AK authentication key
  • a master key MK is generated from the AAA key.
  • the master key MK may be generated by using 160 bits of the most significant bit (MSB) of the AAA key in step S 20 .
  • a pre-master key PMK is generated by using an identifier of the subscriber station and an identifier of the base station in step S 30 .
  • the authentication key AK for the EAP authentication is generated in the subscriber station and the base station.
  • the authentication key is distributed to the subscriber station and the base station.
  • the authentication key may also have a field for an RSA authentication.
  • the field for the RSA authentication is given to be NULL.
  • the negotiation process and the authentication process for the security association are not operated together but are operated separately.
  • FIG. 5 shows a message flow illustrating the authentication process according to an exemplary embodiment of the present invention.
  • the generation of the authentication key shown in FIG. 4 is performed by transmitting/receiving a plurality of EAP-transmission messages between the subscriber station 10 and the base station 20 .
  • An EAP message which the subscriber station 10 requests to the base station 20 , includes packet data supported by the subscriber station which requests the authentication, an identifier for an encryption/authentication algorithm, a basic CID for the subscriber station, and an EAP payload which is authentication data for the user authentication.
  • Another EAP message, that the base station 20 receiving the AAA key form the AAA server 40 (not shown in FIG. 5 ) transmits includes the encryption algorithm co-owned with the subscriber station, notification of success or failure of the authentication, valid time for the authentication key, and the EAP payload for the user authentication.
  • the EAP message request and response process may be performed several times until the authentication key is generated.
  • notification of success in the authentication for the EAP-transmission message is lastly transmitted to the subscriber station 10 , and authentication keys AK of the subscriber station 10 and the base station 20 are generated in step S 41 and S 42 .
  • the security association negotiating process is performed separately from the authentication key generating process in step S 50 .
  • a security association capability request message and a security association capability response message are newly defined.
  • the subscriber station 10 transmits the security association (SA) capability request message including an HMAC tuple TLV generated by using the authentication key (AK).
  • SA security association
  • AK authentication key
  • the base station 20 inspects suitability of the HMAC tuple, and transmits the security association capability response message to the mobile subscriber station.
  • the base station 20 transmits a security association capability deny message to the mobile subscriber station.
  • a security association capability corresponding to an intersection of the security association capabilities of the subscriber station 10 and the base station 20 is selected.
  • FIG. 6 to FIG. 8 show configurations of messages for the security association negotiation according to an exemplary embodiment of the present invention.
  • FIG. 6 shows a configuration of the security association capability request message according to an exemplary embodiment of the present invention.
  • the subscriber station After the EAP authentication, the subscriber station transmits the security association capability request message as shown in FIG. 6 to the base station.
  • the security association capability request message includes security capability, primary security association identifier (SAID), and characteristics of the HAMC tuple.
  • the security capability is information about all capabilities of the security and encryption owned by the subscriber station.
  • the primary SAID is an identifier for the security association (SA) of the subscriber station. It includes a basic CID.
  • HMAC tuple is generated by using the authentication key (AK).
  • AK authentication key
  • a key sequence number in the HMAC tuple is generated by using a hash function.
  • the authentication key (AK) is used as an input value for the hash function.
  • FIG. 7 shows a configuration of the security association capability response message according to an exemplary embodiment of the present invention.
  • the security association capability response message is a response for the security association capability request message. It is transmitted when the base station can accept the request of the subscriber station.
  • the security association capability response message includes the key sequence number, a security association descriptor (SA descriptor), and characteristics of the HMAC tuple.
  • the key sequence number is information about a sequence number of the authentication key (AK). This may be generated by adding 1 to a previous key sequence number by the base station.
  • the security association descriptor is a complex descriptor. It defines a security association identifier (SAID) and additional characteristics of the security association.
  • the security association identifier (SAID) is an identifier for a cipher suit which is selected for a basic security association of the subscriber station.
  • the security association descriptor includes information about a data encryption algorithm corresponding to the SAID, a message authentication scheme, and a traffic key encryption scheme.
  • a DES algorithm is used for the data encryption algorithm
  • HMAC is used for the message authentication
  • a 3DES algorithm is used for the traffic key encryption.
  • the HMAC tuple is generated by using the authentication key (AK).
  • AK authentication key
  • FIG. 8 shows the security association capability request deny message according to an exemplary embodiment of the present invention.
  • the security association capability request deny message includes an error code for identifying a denial reason for the security association capability request message, and the HMAC tuple is generated by using the authentication key.
  • a security association negotiation may be provided through the security association capability request message and the security association capability response message after generating the authentication key.
  • FIG. 9 is showing an EAP authentication and security association negotiation method after a handover according to an exemplary embodiment of the present invention.
  • the base station 21 When a handover occurs in the subscriber station 10 from the base station 20 to the base station 21 , the base station 21 , which is a target base station, receives the master key from the base station 20 in order to generate the authentication key, and performs an authentication with the subscriber station 10 .
  • the base station 21 which has received the master key, generates the pre-master key (PMK) and the authentication key (AK) by using its own base station identifier.
  • a ranging process is performed for an initial timing synchronization.
  • a register request message (REG-REQ) and a register response message (REG-RSP), which are MAC messages, are exchanged.
  • REG-REQ register request message
  • REG-RSP register response message
  • the security association capability is fulfilled with reference to the security association identifier (ID) included in the security association descriptor information received from the base station 20 .
  • ID security association identifier
  • the subscriber station 10 selects the security association identifier which is one of the previously negotiated security association capabilities, the EAP authentication and security association of the subscriber station may be performed without an additional message.
  • the subscriber station may transmit a security association capability adding message for the additional security association negotiation.
  • the security association capability adding message may be provided in substantially the same scheme as the security association capability request message.
  • the efficient EAP authentication and security association negotiation which corresponds to the PKMv2 design concept can be provided without additional message exchanges between the base station and the subscriber station, such as the random number exchange.
  • FIG. 10 is a flowchart showing a security association negotiation method according to an exemplary embodiment of the present invention.
  • the subscriber station When the subscriber station tries an initial access with the base station, the subscriber station performs the authentication process with the AAA server, and the AAA key is randomly generated in step S 100 .
  • the AAA key is distributed to the base station and the subscriber station, and is utilized as a seed of the authentication key.
  • the base station and the subscriber station generate the master key (MK) and the pre-master key (PMK)from the AAA key in step S 110 .
  • the master key (MK) is generated by using a part of the AAA.
  • the pre-master key (PMK) may be generated by using the master key, the subscriber station, and the base station.
  • the base station and the subscriber station respectively generate the authentication key (AK) in step S 120 .
  • the subscriber station and the base station may generate the authentication key (AK) corresponding to the design concept of the PKMv2 protocol.
  • the subscriber station transmits the security association capability request message to the base station in step S 130 .
  • a PKM-REQ message defined by the PKM protocol may be used.
  • the security association capability request message includes information about basic security capabilities of the subscriber station and a basic security association identifier of the subscriber station.
  • the base station When the base station receives the security association capability request message, it determines whether the request of the subscriber station can be accepted in S 140 .
  • An admission for the security association capability request depends on whether an intersection, between the security association capability which the base station can provide and the security association capability which the subscriber station requested, exists or not.
  • the security association capability response message includes the security association identifier (SAID) and the security association descriptor which defines the additional characteristic.
  • the master key (MK) and the security association identifier (SAID) related to the negotiated security association capability are stored. This enables reuse of the master key security association identifier in the EAP authentication, when the handover occurs, in step S 180 .
  • a deny message including an error code is transmitted, and the subscriber station receives the deny message in step S 150 .
  • FIG. 11 is a flowchart showing a method for performing the security association negotiation when a handover occurs, according to an exemplary embodiment of the present invention.
  • the second base station generates the pre-master key by using the master key (MK) received from the first base station, and generates the authentication key by using the pre-master key, when the handover occurs because the subscriber station moves from the first base station to the second base station.
  • MK master key
  • the subscriber station exchanges the register request message (REG-REQ) and the register response message (REG-RSP) in steps S 200 and S 210 , in order to process a CID (connection ID) synchronization with the second base station.
  • REG-REQ register request message
  • REG-RSP register response message
  • the second base station transmits the register response message for a security association (SA) renewal by using the ranging response message.
  • SA security association
  • the register response message is based on the security association capability information received from the first base station.
  • the subscriber station receives the register response message in step S 220 .
  • the subscriber station determines whether the security association capability corresponding to the security association identifier included in the security association descriptor fulfills the security association capability previously negotiated with the first base station in step S 230 .
  • a security association adding message is transmitted, and the security association negotiation is performed with the second base station in steps S 250 and S 260 .
  • the security association negotiation can be performed by using the security association capability request message and the security association capability response message.
  • the present invention provides an efficient security association negotiation method having the advantage that the method corresponds to the design concept of the PKMv2 protocol in the EAP authentication of a mobile subscriber station.
  • the authentication and the security association negotiation can be performed without additional exchange of a message or a random number even after the handover, so that the present invention may minimize transmission of messages and provide a delay-free communication environment.

Abstract

The present invention relates to a security association negotiation method of extensible authentication protocol (EAP) for authenticating a subscriber station user in a wireless portable Internet system. An exemplary security association negotiation method using a user authentication in a wireless portable Internet system according to an embodiment of the present invention includes following steps. A base station generates an authentication key for authenticating a user of a subscriber station. The base station receives a security association capability request message including security association capability information of the subscriber station from the subscriber station after generating the authentication key. The base station determines whether the base station is able to accept a security association capability of the subscriber station included in the security association capability request message. The base station transmits a security association capability response message including the security association capability information which is selected for a security association with the subscriber station by the base station when the security association capability of the subscriber station can be accepted. According to the present invention, a subscriber authentication for EAP may be efficiently performed without an additional message after a handover.

Description

    BACKGROUND OF THE INVENTION
  • (a) Field of the Invention
  • The present invention relates to a security association negotiation method of extensible authentication protocol (EAP) for authenticating a subscriber station user in a wireless portable Internet system. More particularly, the present invention relates to a security association negotiation method for generating an authentication key without an additional message exchange in an authentication scheme using EAP in a wireless portable Internet system.
  • (b) Description of the Related Art
  • As the next-generation communication technology, wireless portable Internet further provides mobility to a local data communication system such as a conventional wireless local area network (LAN) using a stationary access point (AP). There are various standard protocols that have been developed for supporting the wireless portable Internet, and the IEEE 802.16 working group attempts to establish an international standard of the wireless portable Internet protocol.
  • The authentication and authorization standard defined by the IEEE 802.16 establishes authentication functions for stations in a wide area network configured with wireless networks. In particular, since the subscriber station (SS) authentication function standardized by a privacy layer of the IEEE 802.16 is defined only for SSs within a fixed network, it is inappropriate for the authentication function to apply SSs or subscribers to be capable of supporting mobility, which is a current trend of mobile services. That is, in the wireless portable Internet system, the subscriber station has mobility, so it moves from a base station to another base station, and when a handover occurs, authentication key generation and security association negotiation need to be performed with a new base station.
  • As methods for authenticating a mobile terminal or a user, a PKM—(public key management) RSA method which utilizes a certificate of the mobile terminal and a PKM-EAP method for authenticating a mobile subscriber are defined. As such authentication methods, the PKMv1 protocol may be exemplified. According to the PKMv1 protocol, a terminal is authenticated by using a certificate of a mobile terminal in the IEEE 802.16 standard, and an authentication key (AK) and a traffic encryption key (TEK) are generated.
  • In addition, a newly defined PKMv2 protocol provides more various authentication methods than does the PKMv1 protocol. When classifying with reference to an authentication subject, the PKM-RSA method for authenticating a mobile terminal, the PKM-EAP method for authenticating a mobile subscriber, and PKM-RSA with EAP for authenticating both a mobile terminal and a mobile subscriber may be exemplified. According to the basic design concept of the PKMv2 protocol, the authentication key is generated by using a master key (MK) which may be obtained after authentication of a mobile terminal or a user.
  • However, according to the prior art, in the subscriber authentication methods such as EAP, the authentication key is generated after authenticating a mobile subscriber and exchanging the master key (MK) and random numbers of the base station and the subscriber station. In other words, it does not follow the basic design concept of the PKMv2 protocol. Therefore, when a handover of the subscriber station occurs, an additional message exchange is necessary, and the exchange of the random numbers through an authentication message is necessary for generating the authentication key for a new base station.
  • These problems of the prior art cause mobility of the subscriber station in the wireless portable Internet system to be reduced, and delay the data transmission.
  • The above information disclosed in this Background section is only for enhancement of understanding of the background of the invention and therefore it may contain information that does not form the prior art that is already known in this country to a person of ordinary skill in the art.
  • SUMMARY OF THE INVENTION
  • The present invention has been made in an effort to provide a security association negotiation method having the advantage of corresponding to a basic design concept of the PKMv2 protocol.
  • An exemplary security association negotiation method using a user authentication in a wireless portable Internet system according to an embodiment of the present invention includes the following steps. A base station generates an authentication key for authenticating a user of a subscriber station. The base station receives a security association capability request message including security association capability information of the subscriber station from the subscriber station after generating the authentication key. The base station determines whether the base station is able to accept a security association capability of the subscriber station included in the security association capability request message. The base station transmits a security association capability response message including the security association capability information which is selected for a security association with the subscriber station by the base station when the security association capability of the subscriber station can be accepted.
  • An exemplary security association negotiation method using a user authentication in a wireless portable Internet system according to another embodiment of the present invention includes the following steps. A first base station generates a second authentication key by transmitting a master key, which is to be a seed of a first authentication key of a subscriber station which hands over to a second base station; to the second base station. The first base station provides a first security association descriptor including security association capability information, which is previously negotiated with the subscriber station, to the second base station. The subscriber station exchanges a register request message (REG-REQ) and a register response message (REG-RSP) with the second base station. A second security association descriptor generated based on the first security association descriptor is provided by using the register response message to the subscriber station, and it is determined whether a security association capability is fulfilled. A security association identifier included in the second security association descriptor is admitted and a security association is renewed when the security association capability is fulfilled.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a schematic diagram illustrating a configuration of wireless portable Internet according to an exemplary embodiment of the present invention.
  • FIG. 2 shows a layer structure of the wireless portable Internet system shown in FIG. 1.
  • FIG. 3 is a schematic diagram illustrating a connection between a subscriber station and a base station in the wireless portable Internet system shown in FIG. 1.
  • FIG. 4 is a flowchart showing an authentication key generating process using EAP according to an exemplary embodiment of the present invention.
  • FIG. 5 shows a message flow illustrating an authentication process according to an exemplary embodiment of the present invention.
  • FIG. 6 to FIG. 8 show message configurations for security association negotiation according to an exemplary embodiment of the present invention.
  • FIG. 9 illustrates a method for performing EAP authentication and security association negotiation after a handover according to an exemplary embodiment of the present invention.
  • FIG. 10 is a flowchart showing a security association negotiation method according to an exemplary embodiment of the present invention.
  • FIG. 11 is a flowchart showing a method for performing a security association negotiation when a handover occurs, according to an exemplary embodiment of the present invention.
  • DETAILED DESCRIPTION OF THE EMBODIMENTS
  • An embodiment of the present invention will hereinafter be described in detail with reference to the accompanying drawings.
  • In the following detailed description, only certain exemplary embodiments of the present invention have been shown and described, simply by way of illustration. As those skilled in the art would realize, the described embodiments may be modified in various different ways, all without departing from the spirit or scope of the present invention.
  • Accordingly, the drawings and description are to be regarded as illustrative in nature and not restrictive. Like reference numerals designate like elements throughout the specification. (Phrases such as “one thing coupled to another” can refer to either directly coupling a first one to a second one or coupling the first one to the second one with a third one provided therebetween.)
  • Hereinafter, a security association negotiation method according to an exemplary embodiment of the present invention will be described in detail while referring to drawings.
  • FIG. 1 is a schematic diagram illustrating a configuration of wireless portable Internet according to an exemplary embodiment of the present invention.
  • As shown in FIG. 1, the wireless portable Internet system includes a subscriber station 10 (SS), base stations 20 and 21 (BS) performing a wireless communication with the subscriber station 10, routers 30 and 31 connected with the base stations 20 and 21 through a gateway, and an AAA server (AAA: authentication, authorization, and accounting) 40 connected to the routers 30 and 31 for performing an authentication for the subscriber station 20 and 21.
  • A conventional wireless LAN such as IEEE 802.11 provides a data communication scheme in which only near distance wireless communication using a stationary access point is possible. Therefore, this does not support the mobility of the subscriber station, and merely support a wireless local data communication.
  • Meanwhile, the wireless portable Internet system being developed by the IEEE 802.16 group supports the mobility even when the subscriber station 10 shown in FIG. 1 moves from a cell controlled by the base station 20 to a cell controlled by the base station 21, so that it can provide the data communication service.
  • The IEEE 802.16 is a standard for supporting metropolitan area network (MAN). In other words, it supports a middle size network between local area information communication network (LAN) and wide area communication network (WAN).
  • Therefore, the wireless portable Internet system supports a handover of the subscriber station 10 like a mobile communication service, and performs a dynamic IP address allocation according to movement of the subscriber station.
  • Here, the subscriber station 10 and the base stations 20 and 21 of the wireless portable Internet performs a communication in the orthogonal frequency division multiplexing access (OFDMA) scheme. The OFDMA scheme is a multiplexing scheme that combines the frequency division multiplexing scheme using a plurality of orthogonal frequency sub-carriers as a plurality of sub-channels, and the time division multiplexing (TDM) scheme. The OFDMA scheme is robust against fading occurring in a multi-path, and shows a good data transmission rate.
  • When starting a communication, the subscriber station 10 and the base stations 20 and 21 negotiate an authentication mode for an authentication of the subscriber station 10; and perform an authentication process according to the negotiated authentication mode. That is, the subscriber station 10 and the base stations 20 and 21 select the authentication mode from an authentication mode based on a digital certificate according to the conventional IEEE 802.16 privacy standard and another authentication mode based on standardized authentication protocol of a higher layer, and according to the selected authentication mode, performs the authentication process for the subscriber station 10.
  • Here, the standardized authentication protocol of the higher layer may be one of EAP-TLS (Transport Layer Security) which is an EAP framework, or EAP-TTLS (Tunneled TLS).
  • When the authentication mode based on the standardized authentication protocol of the higher layer is selected as a result of the negotiation between the subscriber station 10 and the base stations 20 and 21, the subscriber station 10 and base station 20 are ready for an authentication process based on the standardized authentication protocol of the higher layer. The subscriber station 10 generates a message for the authentication and transmits it to the base station 20, and the base station 20 performs the authentication for the subscriber station 10 through an interaction with the AM server 40.
  • FIG. 2 is a layer diagram showing a layer structure of the wireless portable Internet system shown in FIG. 1.
  • As shown in FIG. 2, the layer structure of the wireless portable Internet system according to IEEE 802.16 includes a physical layer L10 and media access control (MAC) layers L21, L22, and L23.
  • The physical layer L10 provides wireless communication functions performed by a typical physical layer such as modulation/demodulation and coding.
  • Contrarily to the wire Internet system having fractionated layers according to various functions thereof, the wireless portable Internet system has one MAC layer for providing various functions.
  • The MAC layer includes a privacy sub-layer L21, a MAC common part sub-layer L22, and a service specific convergence sub-layer L23.
  • The privacy sub-layer L21 performs equipment authentication, security key exchange, encryption, etc. The privacy sub-layer L21 performs the authentication only for equipment, and a user authentication such as the EAP is performed by a higher layer of MAC (not shown).
  • The MAC common part sub-layer L22 is a core part of the MAC layer, and it performs system access, bandwidth allocation, traffic connection set up and maintenance, QoS management, etc.
  • The service specific convergence sub-layer L23 performs payload header suppression, QoS mapping, etc., in continuous data communication.
  • FIG. 3 shows a connection configuration between the subscriber station 10 and the base station 20 and 21 of the wireless portable Internet system shown in FIG. 1.
  • As shown in FIG. 3, there exists a traffic connection C1 between the MAC layer of the subscriber station 10 and the MAC layer of the base stations 20 and 21.
  • Here, the term “traffic connection C1” does not mean a physical connection but rather a logical connection, and is defined as a mapping relationship which is formed between peers of the equivalent MAC layers in order to transmit traffic for a service flow.
  • Therefore, a parameter or a message defined on the traffic connection C1 are functions performed between the equivalent MAC layers. Actually, the parameter and the message are processed to be a frame, and are transmitted through the physical layer. Then, the frame is analyzed, and the functions corresponding to the parameter or the message are performed in the MAC layer.
  • In addition, a MAC message includes various messages such as a request for some operation (REQ), a response (RSP), and an acknowledgement (ACK).
  • FIG. 4 is a flowchart showing a process for generating an authentication key using EAP according to an exemplary embodiment of the present invention.
  • When the subscriber station 10 is trying to connect with the base station, an authentication process between the AAA server 40 and the subscriber station 10 is performed, and then an AAA key is generated in step S10. That is, the subscriber station transmits an EAP transmission request message which is a high authentication protocol to the base station, and the authentication server distributes the MA key which is generated by performing authentication and authority verification to the base station and the subscriber station. After that, the AAA is used as a seed of an authentication key (AK).
  • When the AAA key is generated, a master key MK is generated from the AAA key. The master key MK may be generated by using 160 bits of the most significant bit (MSB) of the AAA key in step S20.
  • When the master key MK is generated, a pre-master key PMK is generated by using an identifier of the subscriber station and an identifier of the base station in step S30.
  • When the pre-master key PMK is generated, the authentication key AK for the EAP authentication is generated in the subscriber station and the base station. The authentication key is distributed to the subscriber station and the base station. In the exemplary embodiment of the present invention, only the authentication using the EAP is described, but the authentication key may also have a field for an RSA authentication. According to an exemplary embodiment of the present invention, the field for the RSA authentication is given to be NULL.
  • According to the exemplary embodiment shown in FIG. 4, the negotiation process and the authentication process for the security association (SA) are not operated together but are operated separately.
  • FIG. 5 shows a message flow illustrating the authentication process according to an exemplary embodiment of the present invention.
  • The generation of the authentication key shown in FIG. 4 is performed by transmitting/receiving a plurality of EAP-transmission messages between the subscriber station 10 and the base station 20. An EAP message, which the subscriber station 10 requests to the base station 20, includes packet data supported by the subscriber station which requests the authentication, an identifier for an encryption/authentication algorithm, a basic CID for the subscriber station, and an EAP payload which is authentication data for the user authentication. Another EAP message, that the base station 20 receiving the AAA key form the AAA server 40 (not shown in FIG. 5) transmits, includes the encryption algorithm co-owned with the subscriber station, notification of success or failure of the authentication, valid time for the authentication key, and the EAP payload for the user authentication.
  • The EAP message request and response process may be performed several times until the authentication key is generated. When the authentication for the subscriber is successfully performed after the exchange of the EAP messages, notification of success in the authentication for the EAP-transmission message is lastly transmitted to the subscriber station 10, and authentication keys AK of the subscriber station 10 and the base station 20 are generated in step S41 and S42.
  • According to an exemplary embodiment of the present invention, the security association negotiating process is performed separately from the authentication key generating process in step S50. For the security association negotiation, in an exemplary embodiment of the present invention, a security association capability request message and a security association capability response message are newly defined.
  • The subscriber station 10 transmits the security association (SA) capability request message including an HMAC tuple TLV generated by using the authentication key (AK). The base station 20 inspects suitability of the HMAC tuple, and transmits the security association capability response message to the mobile subscriber station. When the base station cannot accept the security association capability request which is requested by the mobile subscriber station, the base station 20 transmits a security association capability deny message to the mobile subscriber station.
  • Through the security association negotiation process, a security association capability corresponding to an intersection of the security association capabilities of the subscriber station 10 and the base station 20 is selected.
  • FIG. 6 to FIG. 8 show configurations of messages for the security association negotiation according to an exemplary embodiment of the present invention.
  • FIG. 6 shows a configuration of the security association capability request message according to an exemplary embodiment of the present invention.
  • After the EAP authentication, the subscriber station transmits the security association capability request message as shown in FIG. 6 to the base station. The security association capability request message includes security capability, primary security association identifier (SAID), and characteristics of the HAMC tuple.
  • In the message shown in FIG. 6, the security capability is information about all capabilities of the security and encryption owned by the subscriber station. The primary SAID is an identifier for the security association (SA) of the subscriber station. It includes a basic CID.
  • HMAC tuple is generated by using the authentication key (AK). When performing an initial authentication, a key sequence number in the HMAC tuple is generated by using a hash function. Here, the authentication key (AK) is used as an input value for the hash function.
  • FIG. 7 shows a configuration of the security association capability response message according to an exemplary embodiment of the present invention.
  • The security association capability response message is a response for the security association capability request message. It is transmitted when the base station can accept the request of the subscriber station. The security association capability response message includes the key sequence number, a security association descriptor (SA descriptor), and characteristics of the HMAC tuple.
  • The key sequence number is information about a sequence number of the authentication key (AK). This may be generated by adding 1 to a previous key sequence number by the base station. The security association descriptor is a complex descriptor. It defines a security association identifier (SAID) and additional characteristics of the security association. Here, the security association identifier (SAID) is an identifier for a cipher suit which is selected for a basic security association of the subscriber station. The security association descriptor includes information about a data encryption algorithm corresponding to the SAID, a message authentication scheme, and a traffic key encryption scheme.
  • For example, for a SAID 1, it may described that a DES algorithm is used for the data encryption algorithm, HMAC is used for the message authentication, and a 3DES algorithm is used for the traffic key encryption.
  • The HMAC tuple is generated by using the authentication key (AK). When performing the initial authentication, a key sequence number in the HMAC tuple is generated by putting the authentication key (AK) as an input value for the hash function.
  • FIG. 8 shows the security association capability request deny message according to an exemplary embodiment of the present invention.
  • The security association capability request deny message includes an error code for identifying a denial reason for the security association capability request message, and the HMAC tuple is generated by using the authentication key.
  • According to an exemplary embodiment of the present invention, a security association negotiation may be provided through the security association capability request message and the security association capability response message after generating the authentication key.
  • FIG. 9 is showing an EAP authentication and security association negotiation method after a handover according to an exemplary embodiment of the present invention.
  • When a handover occurs in the subscriber station 10 from the base station 20 to the base station 21, the base station 21, which is a target base station, receives the master key from the base station 20 in order to generate the authentication key, and performs an authentication with the subscriber station 10. The base station 21, which has received the master key, generates the pre-master key (PMK) and the authentication key (AK) by using its own base station identifier.
  • In addition, a ranging process is performed for an initial timing synchronization. In order to register the subscriber station after the ranging process, a register request message (REG-REQ) and a register response message (REG-RSP), which are MAC messages, are exchanged.
  • It is determined when the security association capability is fulfilled with reference to the security association identifier (ID) included in the security association descriptor information received from the base station 20. When the subscriber station 10 selects the security association identifier which is one of the previously negotiated security association capabilities, the EAP authentication and security association of the subscriber station may be performed without an additional message.
  • When the security association negotiation of the base station 21 which is the target base station is newly needed, the subscriber station may transmit a security association capability adding message for the additional security association negotiation. The security association capability adding message may be provided in substantially the same scheme as the security association capability request message.
  • Therefore, according to the exemplary embodiment of the present invention, after the handover, the efficient EAP authentication and security association negotiation which corresponds to the PKMv2 design concept can be provided without additional message exchanges between the base station and the subscriber station, such as the random number exchange.
  • FIG. 10 is a flowchart showing a security association negotiation method according to an exemplary embodiment of the present invention.
  • When the subscriber station tries an initial access with the base station, the subscriber station performs the authentication process with the AAA server, and the AAA key is randomly generated in step S100. The AAA key is distributed to the base station and the subscriber station, and is utilized as a seed of the authentication key.
  • The base station and the subscriber station generate the master key (MK) and the pre-master key (PMK)from the AAA key in step S110. In order to reduce size, the master key (MK) is generated by using a part of the AAA. The pre-master key (PMK) may be generated by using the master key, the subscriber station, and the base station.
  • When the pre-master key is generated, the base station and the subscriber station respectively generate the authentication key (AK) in step S120. Through the described process, the subscriber station and the base station may generate the authentication key (AK) corresponding to the design concept of the PKMv2 protocol.
  • When the authentication key is generated, the subscriber station transmits the security association capability request message to the base station in step S130. For the security association capability request message, a PKM-REQ message defined by the PKM protocol may be used. The security association capability request message includes information about basic security capabilities of the subscriber station and a basic security association identifier of the subscriber station.
  • When the base station receives the security association capability request message, it determines whether the request of the subscriber station can be accepted in S140. An admission for the security association capability request depends on whether an intersection, between the security association capability which the base station can provide and the security association capability which the subscriber station requested, exists or not.
  • When the security association capability requested by the subscriber station can be admitted, then the security association negotiation is performed, the security association capability response message is transmitted, and the subscriber station receives the security association capability response message in step S170. The security association capability response message includes the security association identifier (SAID) and the security association descriptor which defines the additional characteristic.
  • When the generation of the authentication key and the security association negotiation are finished, the master key (MK) and the security association identifier (SAID) related to the negotiated security association capability are stored. This enables reuse of the master key security association identifier in the EAP authentication, when the handover occurs, in step S180.
  • Meanwhile, when the security association capability requested by the subscriber station cannot be accepted, or when there is an error in the security association capability request message, a deny message including an error code is transmitted, and the subscriber station receives the deny message in step S150.
  • FIG. 11 is a flowchart showing a method for performing the security association negotiation when a handover occurs, according to an exemplary embodiment of the present invention.
  • The second base station generates the pre-master key by using the master key (MK) received from the first base station, and generates the authentication key by using the pre-master key, when the handover occurs because the subscriber station moves from the first base station to the second base station.
  • The subscriber station exchanges the register request message (REG-REQ) and the register response message (REG-RSP) in steps S200 and S210, in order to process a CID (connection ID) synchronization with the second base station.
  • The second base station transmits the register response message for a security association (SA) renewal by using the ranging response message. Here, the register response message is based on the security association capability information received from the first base station. The subscriber station receives the register response message in step S220.
  • The subscriber station determines whether the security association capability corresponding to the security association identifier included in the security association descriptor fulfills the security association capability previously negotiated with the first base station in step S230.
  • When the previously negotiated security association capability is fulfilled, the corresponding security association identifier (SAID) is renewed, and the EAP authentication is finished in step S240.
  • When the security association capability of the second base station can not fulfill the security association capability of the subscriber station, a security association adding message is transmitted, and the security association negotiation is performed with the second base station in steps S250 and S260. The security association negotiation can be performed by using the security association capability request message and the security association capability response message.
  • According to the embodiments of the present invention, the present invention provides an efficient security association negotiation method having the advantage that the method corresponds to the design concept of the PKMv2 protocol in the EAP authentication of a mobile subscriber station.
  • In addition, according to the embodiments of the present invention, the authentication and the security association negotiation can be performed without additional exchange of a message or a random number even after the handover, so that the present invention may minimize transmission of messages and provide a delay-free communication environment.
  • While this invention has been described in connection with what is presently considered to be practical exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (13)

1. A security association negotiation method using a user authentication in a wireless portable Internet system, the method comprising:
a base station generating an authentication key for authenticating a user of a subscriber station;
receiving a security association capability request message comprising security association capability information of the subscriber station from the subscriber station after generating the authentication key;
determining whether the base station is able to accept a security association capability of the subscriber station comprised in the security association capability request message; and
transmitting a security association capability response message comprising the security association capability information which is selected for a security association with the subscriber station by the base station when the security association capability of the subscriber station can be accepted.
2. A security association negotiation method using a user authentication in a wireless portable Internet system, the method comprising:
performing a user authority authentication by using an authentication authorization and accounting (AAA) server and generating an authentication key;
transmitting a security association capability request message comprising security association capability information of the subscriber station to the base station after generating the authentication key; and
receiving a security association capability response message comprising the security association capability information which is selected for a security association by the base station when the base station can accept the security association capability of the subscriber station.
3. The security association negotiation method of claim 1 or claim 2, wherein the generating the authentication key comprises:
generating a master key (MK) by using an AAA key generated by the AAA server;
generating a pre-master key (PMK) from the master key by using an identifier of the base station or the subscriber station; and
generating the authentication key from the pre-master key.
4. The security association negotiation method of claim 1 or claim 2, wherein the security association capability request message comprises capability information on security and encryption of the subscriber station, a security association identifier of the subscriber station, and an HMAC tuple generated from the authentication key.
5. The security association negotiation method of claim 1 or claim 2, wherein the security association capability request response message comprises sequence number information on the authentication key, a security association identifier for the security association of the subscriber station, a security association descriptor for defining additional characteristics for the security association, and an HMAC tuple generated from the authentication key.
6. The security association negotiation method of claim 5, wherein the security association descriptor is recorded in correspondence with information on at least one of a data encryption scheme, a message authentication scheme, and a traffic key encryption scheme of the security association identifier.
7. The security association negotiation method of claim 1 or claim 2, wherein the method further comprises the base station transmitting a security association denial reason message comprising an error code for denying the security association to the subscriber station when the security association capability of the subscriber station can be accepted.
8. The security association negotiation method of claim 1 or claim 2, wherein, in the generating the authentication key, an authentication is performed by using an extensible authentication protocol (EAP).
9. The security association negotiation method of claim 8, wherein the security association capability request message and security association capability response message are transmitted by using a message defined by a PKM protocol.
10. A security association negotiation method using a user authentication in a wireless portable Internet system, the method comprising:
a first base station generating a second authentication key by transmitting a master key, which is to be a seed of a first authentication key of a subscriber station which hands over to a second base station, to the second base station;
the first base station providing a first security association descriptor comprising security association capability information, which is previously negotiated with the subscriber station, to the second base station;
the subscriber station exchanging a register request message (REG-REQ) and a register response message (REG-RSP) with the second base station;
providing a second security association descriptor generated based on the first security association descriptor by using the register response message, and checking whether a security association capability is fulfilled; and
admitting a security association identifier comprised in the second security association descriptor and renewing a security association when the security association capability is fulfilled.
11. The security association negotiation method of claim 10, wherein the second authentication key is generated by using the master key and an identifier of the second base station.
12. The security association negotiation method of claim 11, wherein the method further comprises transmitting a security association capability adding message, which comprises security association capability information of the subscriber station to be added, to the second base station, when new security association identifier information needs to be added to the second security association capability descriptor.
13. The security association negotiation method of claim 12, wherein the method further comprises:
the second base station determining whether a security association capability of the subscriber station comprised in the security association capability adding message can be accepted; and
transmitting a security association capability response message comprising the security association capability information which is selected by the second base station for a security association with the subscriber station, to the subscriber station, when the security association capability of the subscriber station can be accepted.
US11/661,172 2004-08-25 2005-02-17 Method for security association negotiation with extensible authentication protocol in wireless portable internet system Active 2028-07-07 US8127136B2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
KR10-2004-0067107 2004-08-25
KR20040067107 2004-08-25
PCT/KR2005/000447 WO2006022469A1 (en) 2004-08-25 2005-02-17 Method for security association negociation with extensible authentication protocol in wireless portable internet system

Publications (2)

Publication Number Publication Date
US20070297611A1 true US20070297611A1 (en) 2007-12-27
US8127136B2 US8127136B2 (en) 2012-02-28

Family

ID=35967652

Family Applications (1)

Application Number Title Priority Date Filing Date
US11/661,172 Active 2028-07-07 US8127136B2 (en) 2004-08-25 2005-02-17 Method for security association negotiation with extensible authentication protocol in wireless portable internet system

Country Status (4)

Country Link
US (1) US8127136B2 (en)
JP (1) JP5042834B2 (en)
KR (1) KR100813295B1 (en)
WO (1) WO2006022469A1 (en)

Cited By (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070016780A1 (en) * 2005-07-02 2007-01-18 Samsung Electronics Co., Ltd. Authentication system and method thereof in a communication system
US20070054734A1 (en) * 2005-09-07 2007-03-08 Morrow James W Gaming network
US20080014955A1 (en) * 2006-07-11 2008-01-17 Shannon Michael L System and method for communicating with a network node behind a subscriber station with an ip convergence sub-layer
US20080127317A1 (en) * 2006-11-27 2008-05-29 Futurewei Technologies, Inc. System for using an authorization token to separate authentication and authorization services
US20080168537A1 (en) * 2007-01-09 2008-07-10 Futurewei Technologies, Inc. Service Authorization for Distributed Authentication and Authorization Servers
US20080178004A1 (en) * 2006-01-24 2008-07-24 Huawei Technologies Co., Ltd. Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network
US20080301434A1 (en) * 2007-05-30 2008-12-04 Wassim Haddad Method and apparatus for combining internet protocol authentication and mobility signaling
US20090031138A1 (en) * 2007-05-14 2009-01-29 Futurewei Technologies, Inc. Method and system for authentication confirmation using extensible authentication protocol
US20090074189A1 (en) * 2005-10-18 2009-03-19 Ki Seon Ryu Method of providing security for relay station
US20090086973A1 (en) * 2007-09-27 2009-04-02 Milind Madhav Buddhikot Method and Apparatus for Authenticating Nodes in a Wireless Network
US20090164788A1 (en) * 2006-04-19 2009-06-25 Seok-Heon Cho Efficient generation method of authorization key for mobile communication
US20090193247A1 (en) * 2008-01-29 2009-07-30 Kiester W Scott Proprietary protocol tunneling over eap
US20090271626A1 (en) * 2007-09-04 2009-10-29 Industrial Technology Research Institute Methods and devices for establishing security associations in communications systems
US20090271623A1 (en) * 2008-04-28 2009-10-29 Nokia Corporation Intersystem mobility security context handling between different radio access networks
US20100146262A1 (en) * 2008-12-04 2010-06-10 Shenzhen Huawei Communication Technologies Co., Ltd. Method, device and system for negotiating authentication mode
WO2010019020A3 (en) * 2008-08-15 2010-07-22 삼성전자주식회사 Security protected non-access stratum protocol operation supporting method in a mobile telecommunication system
US20100211786A1 (en) * 2007-08-07 2010-08-19 Electronics And Telecommunications Research Institute Method for generating authorization key and method for negotiating authorization in communication system based on frequency overlay
US20110002465A1 (en) * 2007-12-18 2011-01-06 Electronics And Telecommunications Research Institute Integrated handover authenticating method for next generation network (ngn) with wireless access technologies and mobile ip based mobility control
US20110126021A1 (en) * 2008-08-22 2011-05-26 Qualcomm Incorporated Method and apparatus for transmitting and receiving secure and non-secure data
US8161551B1 (en) * 2009-04-21 2012-04-17 Mcafee, Inc. System, method, and computer program product for enabling communication between security systems
CN102685741A (en) * 2011-03-09 2012-09-19 华为终端有限公司 Access authentication processing method and system, terminal as well as network equipment
US20130129091A1 (en) * 2011-11-17 2013-05-23 Samsung Electronics Co., Ltd. Method and apparatus for managing security keys for communication authentication with mobile station in wireless communication system
US20140120874A1 (en) * 2012-10-25 2014-05-01 Samsung Electronics Co., Ltd Method and device for managing security key for communication authentication of subscriber station used in cooperative communication of multiple base station in radio communication system
US9125238B2 (en) 2011-08-10 2015-09-01 Ricoh Company, Ltd. Wireless communication device, wireless communication method
US20160080424A1 (en) * 2014-09-12 2016-03-17 Fujitsu Limited Apparatus and method for reestablishing a security association used for communication between communication devices
WO2018095256A1 (en) * 2016-11-26 2018-05-31 Huawei Technologies Co., Ltd. System, method and devices for mka negotiation between the devices
US20220394485A1 (en) * 2018-02-19 2022-12-08 Telefonaktiebolaget Lm Ericsson (Publ) Supporting interworking and/or mobility between different wireless communication systems
US11546759B2 (en) 2018-06-29 2023-01-03 Samsung Electronics Co., Ltd Method and device for communicating in wireless communication system

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100704675B1 (en) * 2005-03-09 2007-04-06 한국전자통신연구원 authentication method and key generating method in wireless portable internet system
US20070283142A1 (en) * 2006-06-05 2007-12-06 Microsoft Corporation Multimode authentication using VOIP
WO2008036694A2 (en) * 2006-09-18 2008-03-27 Intel Corporation Techniques for negotiation of security policies in wireless mesh networks
KR100821183B1 (en) * 2006-10-31 2008-04-14 주식회사 케이티프리텔 Method and apparatus for controlling the security mode in rnc(radio network controller)
US9350701B2 (en) * 2007-03-29 2016-05-24 Bomgar Corporation Method and apparatus for extending remote network visibility of the push functionality
CN101309500B (en) 2007-05-15 2011-07-20 华为技术有限公司 Security negotiation method and apparatus when switching between different wireless access technologies
US9246679B2 (en) 2007-12-28 2016-01-26 Intel Corporation Apparatus and method for negotiating pairwise master key for securing peer links in wireless mesh networks
CN101568082A (en) * 2008-04-25 2009-10-28 中兴通讯股份有限公司 Collocation method of base station parameters
KR101485801B1 (en) * 2008-08-18 2015-01-29 삼성전자주식회사 Method and system for supporting authentication and security protected non-access stratum protocol in mobile telecommunication system
KR101475349B1 (en) * 2008-11-03 2014-12-23 삼성전자주식회사 Security method and apparatus related mobile terminal security capability in mobile telecommunication system
US8418228B2 (en) 2008-12-03 2013-04-09 Electronics And Telecommunications Research Institute Converged access control method using network access device at penetration node of IP network of convergence ALL-IP network
KR101025083B1 (en) * 2008-12-22 2011-03-25 주식회사 케이티 Method for identifying authentication function in extensible authentication protocol
JP5468588B2 (en) * 2011-09-15 2014-04-09 株式会社東芝 Communication apparatus and program
JP2017135599A (en) * 2016-01-28 2017-08-03 サイレックス・テクノロジー株式会社 Radio base station device, radio communication system, and control method of radio base device
EP3537743A4 (en) * 2016-11-02 2019-10-30 Nec Corporation Terminal device, core network node, base station, security gateway, device, method, program, and recording medium
CN108323230B (en) * 2018-02-06 2021-03-05 福建联迪商用设备有限公司 Method for transmitting key, receiving terminal and distributing terminal
KR102124208B1 (en) 2019-02-20 2020-06-24 김상욱 Elevating installation of the radar post
US11032743B1 (en) * 2019-11-30 2021-06-08 Charter Communications Operating, Llc Methods and apparatus for supporting devices of different types using a residential gateway
US11677736B2 (en) 2021-03-25 2023-06-13 International Business Machines Corporation Transient identification generation

Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5371794A (en) * 1993-11-02 1994-12-06 Sun Microsystems, Inc. Method and apparatus for privacy and authentication in wireless networks
US5657390A (en) * 1995-08-25 1997-08-12 Netscape Communications Corporation Secure socket layer application program apparatus and method
US20010005885A1 (en) * 1997-06-30 2001-06-28 Netscape Communications Corporation Cryptographic policy filters and policy control method and apparatus
US20030026430A1 (en) * 1998-05-29 2003-02-06 Makoto Aikawa Encrypting conversion apparatus, decrypting conversion apparatus, cryptographic communication system, and electronic toll collection apparatus
US20030045229A1 (en) * 2001-09-05 2003-03-06 Soma Networks, Inc. Subscriber stations
US20030097592A1 (en) * 2001-10-23 2003-05-22 Koteshwerrao Adusumilli Mechanism supporting wired and wireless methods for client and server side authentication
US20040010713A1 (en) * 2002-07-12 2004-01-15 Vollbrecht John R. EAP telecommunication protocol extension
US20040101125A1 (en) * 1999-05-17 2004-05-27 Leslie Graf Capability negotiation in a telecommunications network
US20040103282A1 (en) * 2002-11-26 2004-05-27 Robert Meier 802.11 Using a compressed reassociation exchange to facilitate fast handoff
US20040136533A1 (en) * 2002-10-31 2004-07-15 Keiichi Takagaki Communication device, communication system, and algorithm selection method
US20040242228A1 (en) * 2003-01-14 2004-12-02 Samsung Electronics Co., Ltd. Method for fast roaming in a wireless network
US20040240412A1 (en) * 2003-05-27 2004-12-02 Winget Nancy Cam Facilitating 802.11 roaming by pre-establishing session keys
US20050047597A1 (en) * 2001-12-13 2005-03-03 Zhibin Zheng Method of selecting encrypting arithmetric for realizing communication of secrecy
US20050216736A1 (en) * 2004-03-24 2005-09-29 Smith Ned M System and method for combining user and platform authentication in negotiated channel security protocols
US20070003062A1 (en) * 2005-06-30 2007-01-04 Lucent Technologies, Inc. Method for distributing security keys during hand-off in a wireless communication system
US7194763B2 (en) * 2004-08-02 2007-03-20 Cisco Technology, Inc. Method and apparatus for determining authentication capabilities
US7219223B1 (en) * 2002-02-08 2007-05-15 Cisco Technology, Inc. Method and apparatus for providing data from a service to a client based on encryption capabilities of the client
US20090019284A1 (en) * 2005-03-09 2009-01-15 Electronics And Telecommunications Research Instit Authentication method and key generating method in wireless portable internet system
US7574599B1 (en) * 2002-10-11 2009-08-11 Verizon Laboratories Inc. Robust authentication and key agreement protocol for next-generation wireless networks

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7174564B1 (en) 1999-09-03 2007-02-06 Intel Corporation Secure wireless local area network
KR100485355B1 (en) * 2002-09-17 2005-04-28 한국전자통신연구원 Inter-Distribution system handoff method in WLANs
US7448068B2 (en) 2002-10-21 2008-11-04 Microsoft Corporation Automatic client authentication for a wireless network protected by PEAP, EAP-TLS, or other extensible authentication protocols
KR20050109685A (en) * 2004-05-17 2005-11-22 에스케이 텔레콤주식회사 Method and system for user authentication based on extensible authentication protocol coexisting with device authentication in portable internet system
KR20060039564A (en) * 2004-11-03 2006-05-09 에스케이 텔레콤주식회사 Method and system for subscriber authentification in portable internet network

Patent Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5371794A (en) * 1993-11-02 1994-12-06 Sun Microsystems, Inc. Method and apparatus for privacy and authentication in wireless networks
US5657390A (en) * 1995-08-25 1997-08-12 Netscape Communications Corporation Secure socket layer application program apparatus and method
US20010005885A1 (en) * 1997-06-30 2001-06-28 Netscape Communications Corporation Cryptographic policy filters and policy control method and apparatus
US20030026430A1 (en) * 1998-05-29 2003-02-06 Makoto Aikawa Encrypting conversion apparatus, decrypting conversion apparatus, cryptographic communication system, and electronic toll collection apparatus
US20040101125A1 (en) * 1999-05-17 2004-05-27 Leslie Graf Capability negotiation in a telecommunications network
US20030045229A1 (en) * 2001-09-05 2003-03-06 Soma Networks, Inc. Subscriber stations
US20030097592A1 (en) * 2001-10-23 2003-05-22 Koteshwerrao Adusumilli Mechanism supporting wired and wireless methods for client and server side authentication
US20050047597A1 (en) * 2001-12-13 2005-03-03 Zhibin Zheng Method of selecting encrypting arithmetric for realizing communication of secrecy
US7219223B1 (en) * 2002-02-08 2007-05-15 Cisco Technology, Inc. Method and apparatus for providing data from a service to a client based on encryption capabilities of the client
US20040010713A1 (en) * 2002-07-12 2004-01-15 Vollbrecht John R. EAP telecommunication protocol extension
US7574599B1 (en) * 2002-10-11 2009-08-11 Verizon Laboratories Inc. Robust authentication and key agreement protocol for next-generation wireless networks
US20040136533A1 (en) * 2002-10-31 2004-07-15 Keiichi Takagaki Communication device, communication system, and algorithm selection method
US20040103282A1 (en) * 2002-11-26 2004-05-27 Robert Meier 802.11 Using a compressed reassociation exchange to facilitate fast handoff
US20040242228A1 (en) * 2003-01-14 2004-12-02 Samsung Electronics Co., Ltd. Method for fast roaming in a wireless network
US20040240412A1 (en) * 2003-05-27 2004-12-02 Winget Nancy Cam Facilitating 802.11 roaming by pre-establishing session keys
US20050216736A1 (en) * 2004-03-24 2005-09-29 Smith Ned M System and method for combining user and platform authentication in negotiated channel security protocols
US7194763B2 (en) * 2004-08-02 2007-03-20 Cisco Technology, Inc. Method and apparatus for determining authentication capabilities
US20090019284A1 (en) * 2005-03-09 2009-01-15 Electronics And Telecommunications Research Instit Authentication method and key generating method in wireless portable internet system
US20070003062A1 (en) * 2005-06-30 2007-01-04 Lucent Technologies, Inc. Method for distributing security keys during hand-off in a wireless communication system

Cited By (54)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7724904B2 (en) * 2005-07-02 2010-05-25 Samsung Electronics Co., Ltd Authentication system and method thereof in a communication system
AU2006266651B2 (en) * 2005-07-02 2010-04-22 Samsung Electronics Co., Ltd. Authentication system and method thereof in a communication system
US20070016780A1 (en) * 2005-07-02 2007-01-18 Samsung Electronics Co., Ltd. Authentication system and method thereof in a communication system
US8392707B2 (en) * 2005-09-07 2013-03-05 Bally Gaming, Inc. Gaming network
US20070054734A1 (en) * 2005-09-07 2007-03-08 Morrow James W Gaming network
US8107629B2 (en) * 2005-10-18 2012-01-31 Lg Electronics Inc. Method of providing security for relay station
US20090074189A1 (en) * 2005-10-18 2009-03-19 Ki Seon Ryu Method of providing security for relay station
US8468353B2 (en) * 2006-01-24 2013-06-18 Huawei Technologies Co., Ltd. Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network
US7984298B2 (en) * 2006-01-24 2011-07-19 Huawei Technologies Co., Ltd. Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network
US20110258447A1 (en) * 2006-01-24 2011-10-20 Huawei Technologies Co., Ltd. Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network
US20080178004A1 (en) * 2006-01-24 2008-07-24 Huawei Technologies Co., Ltd. Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network
US20090164788A1 (en) * 2006-04-19 2009-06-25 Seok-Heon Cho Efficient generation method of authorization key for mobile communication
US8051151B2 (en) * 2006-07-11 2011-11-01 Cisco Technology, Inc. System and method for communicating with a network node behind a subscriber station with an IP convergence sub-layer
US20080014955A1 (en) * 2006-07-11 2008-01-17 Shannon Michael L System and method for communicating with a network node behind a subscriber station with an ip convergence sub-layer
US20080127317A1 (en) * 2006-11-27 2008-05-29 Futurewei Technologies, Inc. System for using an authorization token to separate authentication and authorization services
US8539559B2 (en) 2006-11-27 2013-09-17 Futurewei Technologies, Inc. System for using an authorization token to separate authentication and authorization services
US20080178274A1 (en) * 2006-11-27 2008-07-24 Futurewei Technologies, Inc. System for using an authorization token to separate authentication and authorization services
US8099597B2 (en) 2007-01-09 2012-01-17 Futurewei Technologies, Inc. Service authorization for distributed authentication and authorization servers
US20080168537A1 (en) * 2007-01-09 2008-07-10 Futurewei Technologies, Inc. Service Authorization for Distributed Authentication and Authorization Servers
US8285990B2 (en) 2007-05-14 2012-10-09 Future Wei Technologies, Inc. Method and system for authentication confirmation using extensible authentication protocol
US20090031138A1 (en) * 2007-05-14 2009-01-29 Futurewei Technologies, Inc. Method and system for authentication confirmation using extensible authentication protocol
US8533455B2 (en) * 2007-05-30 2013-09-10 Telefonaktiebolaget L M Ericsson (Publ) Method and apparatus for combining internet protocol authentication and mobility signaling
US20080301434A1 (en) * 2007-05-30 2008-12-04 Wassim Haddad Method and apparatus for combining internet protocol authentication and mobility signaling
US20100211786A1 (en) * 2007-08-07 2010-08-19 Electronics And Telecommunications Research Institute Method for generating authorization key and method for negotiating authorization in communication system based on frequency overlay
US8762721B2 (en) * 2007-08-07 2014-06-24 Samsung Electronics Co., Ltd. Method for generating authorization key and method for negotiating authorization in communication system based on frequency overlay
US20090271626A1 (en) * 2007-09-04 2009-10-29 Industrial Technology Research Institute Methods and devices for establishing security associations in communications systems
US9198033B2 (en) * 2007-09-27 2015-11-24 Alcatel Lucent Method and apparatus for authenticating nodes in a wireless network
US20090086973A1 (en) * 2007-09-27 2009-04-02 Milind Madhav Buddhikot Method and Apparatus for Authenticating Nodes in a Wireless Network
US20110002465A1 (en) * 2007-12-18 2011-01-06 Electronics And Telecommunications Research Institute Integrated handover authenticating method for next generation network (ngn) with wireless access technologies and mobile ip based mobility control
US20090193247A1 (en) * 2008-01-29 2009-07-30 Kiester W Scott Proprietary protocol tunneling over eap
US20090271623A1 (en) * 2008-04-28 2009-10-29 Nokia Corporation Intersystem mobility security context handling between different radio access networks
US9706395B2 (en) * 2008-04-28 2017-07-11 Nokia Technologies Oy Intersystem mobility security context handling between different radio access networks
US20110142239A1 (en) * 2008-08-15 2011-06-16 Suh Kyung Joo Security protected non-access stratum protocol operation supporting method in a mobile telecommunication system
WO2010019020A3 (en) * 2008-08-15 2010-07-22 삼성전자주식회사 Security protected non-access stratum protocol operation supporting method in a mobile telecommunication system
US8638936B2 (en) 2008-08-15 2014-01-28 Samsung Electronics Co., Ltd. Security protected non-access stratum protocol operation supporting method in a mobile telecommunication system
US20110126021A1 (en) * 2008-08-22 2011-05-26 Qualcomm Incorporated Method and apparatus for transmitting and receiving secure and non-secure data
US10447657B2 (en) * 2008-08-22 2019-10-15 Qualcomm Incorporated Method and apparatus for transmitting and receiving secure and non-secure data
US20100146262A1 (en) * 2008-12-04 2010-06-10 Shenzhen Huawei Communication Technologies Co., Ltd. Method, device and system for negotiating authentication mode
US8161551B1 (en) * 2009-04-21 2012-04-17 Mcafee, Inc. System, method, and computer program product for enabling communication between security systems
US8572732B2 (en) 2009-04-21 2013-10-29 Mcafee, Inc. System, method, and computer program product for enabling communication between security systems
CN102685741A (en) * 2011-03-09 2012-09-19 华为终端有限公司 Access authentication processing method and system, terminal as well as network equipment
US9125238B2 (en) 2011-08-10 2015-09-01 Ricoh Company, Ltd. Wireless communication device, wireless communication method
US9380459B2 (en) * 2011-11-17 2016-06-28 Samsung Electronics Co., Ltd. Method and apparatus for managing security keys for communication authentication with mobile station in wireless communication system
US20130129091A1 (en) * 2011-11-17 2013-05-23 Samsung Electronics Co., Ltd. Method and apparatus for managing security keys for communication authentication with mobile station in wireless communication system
US20140120874A1 (en) * 2012-10-25 2014-05-01 Samsung Electronics Co., Ltd Method and device for managing security key for communication authentication of subscriber station used in cooperative communication of multiple base station in radio communication system
US9654969B2 (en) * 2012-10-25 2017-05-16 Samsung Electronics Co., Ltd. Method and device for managing security key for communication authentication of subscriber station used in cooperative communication of multiple base station in radio communication system
US20160080424A1 (en) * 2014-09-12 2016-03-17 Fujitsu Limited Apparatus and method for reestablishing a security association used for communication between communication devices
CN110024325A (en) * 2016-11-26 2019-07-16 华为技术有限公司 For the system of MKA negotiation, method and apparatus between equipment
EP3535926A4 (en) * 2016-11-26 2019-09-11 Huawei Technologies Co., Ltd. System, method and devices for mka negotiation between the devices
WO2018095256A1 (en) * 2016-11-26 2018-05-31 Huawei Technologies Co., Ltd. System, method and devices for mka negotiation between the devices
US10904368B2 (en) * 2016-11-26 2021-01-26 Huawei Technologies Co., Ltd. System, method and devices for MKA negotiation between the devices
US20220394485A1 (en) * 2018-02-19 2022-12-08 Telefonaktiebolaget Lm Ericsson (Publ) Supporting interworking and/or mobility between different wireless communication systems
US11778475B2 (en) * 2018-02-19 2023-10-03 Telefonaktiebolaget Lm Ericsson (Publ) Supporting interworking and/or mobility between different wireless communication systems
US11546759B2 (en) 2018-06-29 2023-01-03 Samsung Electronics Co., Ltd Method and device for communicating in wireless communication system

Also Published As

Publication number Publication date
WO2006022469A1 (en) 2006-03-02
JP2008511240A (en) 2008-04-10
KR20060042045A (en) 2006-05-12
KR100813295B1 (en) 2008-03-13
JP5042834B2 (en) 2012-10-03
US8127136B2 (en) 2012-02-28

Similar Documents

Publication Publication Date Title
US8127136B2 (en) Method for security association negotiation with extensible authentication protocol in wireless portable internet system
US8374582B2 (en) Access method and system for cellular mobile communication network
US8122249B2 (en) Method and arrangement for providing a wireless mesh network
KR100704675B1 (en) authentication method and key generating method in wireless portable internet system
US7984298B2 (en) Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network
US7945777B2 (en) Identification information protection method in WLAN inter-working
JP5597676B2 (en) Key material exchange
US20090208013A1 (en) Wireless network handoff key
US20090043901A1 (en) Bootstrapping Method For Setting Up A Security Association
US7421582B2 (en) Method and apparatus for mutual authentication at handoff in a mobile wireless communication network
US20100161958A1 (en) Device for Realizing Security Function in Mac of Portable Internet System and Authentication Method Using the Device
US8881305B2 (en) Methods and apparatus for maintaining secure connections in a wireless communication network
JP2010517329A (en) Kerberos handover keying
JP2008547304A (en) Method of assigning authentication key identifier for wireless portable internet system
WO2011015060A1 (en) Extensible authentication protocol authentication method, base station and authentication server thereof
WO2010069202A1 (en) Authentication negotiation method and the system thereof, security gateway, home node b
Kim et al. Improving Cross-domain Authentication overWireless Local Area Networks
Prasad et al. A secure certificate based authentication to reduce overhead for heterogeneous wireless network
KR20080056055A (en) Communication inter-provider roaming authentication method and key establishment method, and recording medium storing program including the same
JP4677784B2 (en) Authentication method and system in collective residential network
CN1996838A (en) AAA certification and optimization method for multi-host WiMAX system
Niranjani et al. Distributed security architecture for authentication in 4G networks
KR102558364B1 (en) Method for 5g lan service
WO2021109770A1 (en) Wireless network switching method and device
KR100729729B1 (en) authentication device and method of access point in wireless portable internet system

Legal Events

Date Code Title Description
AS Assignment

Owner name: HANARO TELECOM., INC., KOREA, REPUBLIC OF

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:YUN, MI-YOUNG;MOON, JUNG-MO;YOON, CHUL-SIK;AND OTHERS;REEL/FRAME:020701/0526

Effective date: 20070222

Owner name: KTFREETEL CO., LTD., KOREA, REPUBLIC OF

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:YUN, MI-YOUNG;MOON, JUNG-MO;YOON, CHUL-SIK;AND OTHERS;REEL/FRAME:020701/0526

Effective date: 20070222

Owner name: ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTIT

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:YUN, MI-YOUNG;MOON, JUNG-MO;YOON, CHUL-SIK;AND OTHERS;REEL/FRAME:020701/0526

Effective date: 20070222

Owner name: SK TELECOM CO., LTD., KOREA, REPUBLIC OF

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:YUN, MI-YOUNG;MOON, JUNG-MO;YOON, CHUL-SIK;AND OTHERS;REEL/FRAME:020701/0526

Effective date: 20070222

Owner name: KT CORPORATION, KOREA, REPUBLIC OF

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:YUN, MI-YOUNG;MOON, JUNG-MO;YOON, CHUL-SIK;AND OTHERS;REEL/FRAME:020701/0526

Effective date: 20070222

Owner name: SAMSUNG ELECTRONICS CO., LTD., KOREA, REPUBLIC OF

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:YUN, MI-YOUNG;MOON, JUNG-MO;YOON, CHUL-SIK;AND OTHERS;REEL/FRAME:020701/0526

Effective date: 20070222

AS Assignment

Owner name: KT CORPORATION, KOREA, REPUBLIC OF

Free format text: MERGER;ASSIGNOR:KTFREETEL CO., LTD.;REEL/FRAME:022976/0032

Effective date: 20090601

Owner name: KT CORPORATION,KOREA, REPUBLIC OF

Free format text: MERGER;ASSIGNOR:KTFREETEL CO., LTD.;REEL/FRAME:022976/0032

Effective date: 20090601

STCF Information on status: patent grant

Free format text: PATENTED CASE

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FPAY Fee payment

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY